Information Security Risk Oversight Professional

About The Position

Requirements

• Bachelor's degree, or equivalent work experience
• Typically more than eight years of applicable experience

Nice To Haves

• Strong foundational understanding of information security domains (e.g., vulnerability management, identity and access management, application security, cloud security, security governance, incident management).
• Demonstrated ability to perform risk assessments and oversight activities with depth, critical thinking, and professional skepticism.
• Experience operating in or with a Second Line of Defense, audit, or regulatory environment is strongly preferred.
• Proven ability to work independently and autonomously, managing priorities and delivering high‑quality work with limited direction.
• Strong written and verbal communication skills, including the ability to translate technical risk into clear, executive‑ready insights.
• Ability to engage confidently with senior stakeholders while maintaining independence, objectivity, and professionalism.
• Relevant certifications (e.g., CISSP, CISA, CRISC, CISM) are preferred but not required.

Responsibilities

• Provide independent oversight and credible challenge of the Information Security program across multiple security pillars, including governance, risk assessments, controls, metrics, and issue management.
• Perform risk‑based assessments of first line security practices, identifying gaps, weaknesses, thematic concerns, emerging risks, and control deficiencies.
• Develop and articulate independent risk opinions supported by sound analysis, evidence, and professional judgment.
• Evaluate alignment of first line activities with applicable laws, regulations, regulatory guidance, industry standards (e.g., NIST 800-53, FFIEC, PCI, NIST CSF 2.0, etc), and internal policies.
• Monitor key risk indicators, security metrics, assessment results, and issue trends to identify systemic risks or areas requiring escalation.
• Escalate material risks, control weaknesses, or ineffective risk management practices through appropriate governance and reporting channels.
• Act as a subject matter expert on information security risk, providing insights and guidance to stakeholders while maintaining 2LoD independence.
• Build and maintain strong, professional relationships with first line stakeholders while confidently challenging assumptions, conclusions, and risk positions when necessary.
• Contribute to executive‑level risk reporting by clearly summarizing risk posture, trends, and areas of concern in a concise and defensible manner.
• Stay current on evolving cybersecurity threats, regulatory expectations, and industry best practices to continuously strengthen oversight effectiveness.

Benefits

• Healthcare (medical, dental, vision)
• Basic term and optional term life insurance
• Short-term and long-term disability
• Pregnancy disability and parental leave
• 401(k) and employer-funded retirement plan
• Paid vacation (from two to five weeks depending on salary grade and tenure)
• Up to 11 paid holiday opportunities
• Adoption assistance
• Sick and Safe Leave accruals of one hour for every 30 worked, up to 80 hours per calendar year unless otherwise provided by law